{
  lib,
  stdenv,
  fetchFromGitHub,
  fetchpatch,
  bzip2,
  expat,
  libffi,
  gdbm,
  db,
  ncurses,
  openssl,
  readline,
  sqlite,
  tcl ? null,
  tk ? null,
  tclPackages,
  libX11 ? null,
  x11Support ? false,
  zlib,
  self,
  coreutils,
  autoreconfHook,
  python-setup-hook,
  # Some proprietary libs assume UCS2 unicode, especially on darwin :(
  ucsEncoding ? 4,
  # For the Python package set
  packageOverrides ? (self: super: { }),
  pkgsBuildBuild,
  pkgsBuildHost,
  pkgsBuildTarget,
  pkgsHostHost,
  pkgsTargetTarget,
  sourceVersion,
  hash,
  passthruFun,
  static ? stdenv.hostPlatform.isStatic,
  stripBytecode ? reproducibleBuild,
  rebuildBytecode ? true,
  reproducibleBuild ? false,
  enableOptimizations ? false,
  strip2to3 ? false,
  stripConfig ? false,
  stripIdlelib ? false,
  stripTests ? false,
  pythonAttr ? "python${sourceVersion.major}${sourceVersion.minor}",
}:

assert x11Support -> tcl != null && tk != null && libX11 != null;

assert lib.assertMsg (enableOptimizations -> (!stdenv.cc.isClang))
  "Optimizations with clang are not supported. configure: error: llvm-profdata is required for a --enable-optimizations build but could not be found.";

assert lib.assertMsg (
  reproducibleBuild -> stripBytecode
) "Deterministic builds require stripping bytecode.";

assert lib.assertMsg (
  reproducibleBuild -> (!enableOptimizations)
) "Deterministic builds are not achieved when optimizations are enabled.";

assert lib.assertMsg (
  reproducibleBuild -> (!rebuildBytecode)
) "Deterministic builds are not achieved when (default unoptimized) bytecode is created.";

let
  buildPackages = pkgsBuildHost;
  inherit (passthru) pythonOnBuildForHost;

  pythonOnBuildForHostInterpreter =
    if stdenv.hostPlatform == stdenv.buildPlatform then
      "$out/bin/python"
    else
      pythonOnBuildForHost.interpreter;

  passthru =
    passthruFun rec {
      inherit self sourceVersion packageOverrides;
      implementation = "cpython";
      libPrefix = "python${pythonVersion}";
      executable = libPrefix;
      pythonVersion = with sourceVersion; "${major}.${minor}";
      sitePackages = "lib/${libPrefix}/site-packages";
      inherit hasDistutilsCxxPatch pythonAttr;
      pythonOnBuildForBuild = pkgsBuildBuild.${pythonAttr};
      pythonOnBuildForHost = pkgsBuildHost.${pythonAttr};
      pythonOnBuildForTarget = pkgsBuildTarget.${pythonAttr};
      pythonOnHostForHost = pkgsHostHost.${pythonAttr};
      pythonOnTargetForTarget = pkgsTargetTarget.${pythonAttr} or { };
      pythonABITags = [
        "none"
        "cp${sourceVersion.major}${sourceVersion.minor}"
      ];
    }
    // {
      inherit ucsEncoding;
    };

  version = with sourceVersion; "${major}.${minor}.${patch}${suffix}";

  # ActiveState is a fork of cpython that includes fixes for security
  # issues after its EOL
  src = fetchFromGitHub {
    owner = "ActiveState";
    repo = "cpython";
    rev = "v${version}";
    inherit hash;
  };

  hasDistutilsCxxPatch = !(stdenv.cc.isGNU or false);
  patches = [
    # Look in C_INCLUDE_PATH and LIBRARY_PATH for stuff.
    ./search-path.patch

    # Python recompiles a Python if the mtime stored *in* the
    # pyc/pyo file differs from the mtime of the source file.  This
    # doesn't work in Nix because Nix changes the mtime of files in
    # the Nix store to 1.  So treat that as a special case.
    ./nix-store-mtime.patch

    # patch python to put zero timestamp into pyc
    # if DETERMINISTIC_BUILD env var is set
    ./deterministic-build.patch

    # Fix python bug #27177 (https://bugs.python.org/issue27177)
    # The issue is that `match.group` only recognizes python integers
    # instead of everything that has `__index__`.
    # This bug was fixed upstream, but not backported to 2.7
    (fetchpatch {
      name = "re_match_index.patch";
      url = "https://bugs.python.org/file43084/re_match_index.patch";
      sha256 = "0l9rw6r5r90iybdkp3hhl2pf0h0s1izc68h5d3ywrm92pq32wz57";
    })

    # Fix race-condition during pyc creation. Has a slight backwards
    # incompatible effect: pyc symlinks will now be overridden
    # (https://bugs.python.org/issue17222). Included in python >= 3.4,
    # backported in debian since 2013.
    # https://bugs.python.org/issue13146
    ./atomic_pyc.patch

    # Backport from CPython 3.8 of a good list of tests to run for PGO.
    ./profile-task.patch

    # The workaround is for unittests on Win64, which we don't support.
    # It does break aarch64-darwin, which we do support. See:
    # * https://bugs.python.org/issue35523
    # * https://github.com/python/cpython/commit/e6b247c8e524
    ../3.7/no-win64-workaround.patch

    # fix openssl detection by reverting irrelevant change for us, to enable hashlib which is required by pip
    (fetchpatch {
      url = "https://github.com/ActiveState/cpython/pull/35/commits/20ea5b46aaf1e7bdf9d6905ba8bece2cc73b05b0.patch";
      revert = true;
      hash = "sha256-Lp5fGlcfJJ6p6vKmcLckJiAA2AZz4prjFE0aMEJxotw=";
    })
  ]
  ++ lib.optionals (x11Support && stdenv.hostPlatform.isDarwin) [
    ./use-correct-tcl-tk-on-darwin.patch

  ]
  ++ lib.optionals stdenv.hostPlatform.isLinux [

    # Disable the use of ldconfig in ctypes.util.find_library (since
    # ldconfig doesn't work on NixOS), and don't use
    # ctypes.util.find_library during the loading of the uuid module
    # (since it will do a futile invocation of gcc (!) to find
    # libuuid, slowing down program startup a lot).
    ./no-ldconfig.patch

    # Fix ctypes.util.find_library with gcc10.
    ./find_library-gcc10.patch

  ]
  ++ lib.optionals stdenv.hostPlatform.isCygwin [
    ./2.5.2-ctypes-util-find_library.patch
    ./2.5.2-tkinter-x11.patch
    ./2.6.2-ssl-threads.patch
    ./2.6.5-export-PySignal_SetWakeupFd.patch
    ./2.6.5-FD_SETSIZE.patch
    ./2.6.5-ncurses-abi6.patch
    ./2.7.3-dbm.patch
    ./2.7.3-dylib.patch
    ./2.7.3-getpath-exe-extension.patch
    ./2.7.3-no-libm.patch
  ]
  ++ lib.optionals hasDistutilsCxxPatch [

    # Patch from http://bugs.python.org/issue1222585 adapted to work with
    # `patch -p1' and with a last hunk removed
    # Upstream distutils is calling C compiler to compile C++ code, which
    # only works for GCC and Apple Clang. This makes distutils to call C++
    # compiler when needed.
    ./python-2.7-distutils-C++.patch
  ]
  ++ lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [
    ./cross-compile.patch
  ];

  preConfigure = ''
    # Purity.
    for i in /usr /sw /opt /pkg; do
      substituteInPlace ./setup.py --replace $i /no-such-path
    done
  ''
  + lib.optionalString (stdenv ? cc && stdenv.cc.libc != null) ''
    for i in Lib/plat-*/regen; do
      substituteInPlace $i --replace /usr/include/ ${stdenv.cc.libc}/include/
    done
  ''
  + lib.optionalString stdenv.hostPlatform.isDarwin ''
    substituteInPlace configure --replace '`/usr/bin/arch`' '"i386"'
    substituteInPlace Lib/multiprocessing/__init__.py \
      --replace 'os.popen(comm)' 'os.popen("${coreutils}/bin/nproc")'
  '';

  configureFlags =
    lib.optionals enableOptimizations [
      "--enable-optimizations"
    ]
    ++ lib.optionals (!static) [
      "--enable-shared"
    ]
    ++ [
      "--with-threads"
      "--with-system-ffi"
      "--with-system-expat"
      "--enable-unicode=ucs${toString ucsEncoding}"
    ]
    ++ lib.optionals stdenv.hostPlatform.isCygwin [
      "ac_cv_func_bind_textdomain_codeset=yes"
    ]
    ++ lib.optionals stdenv.hostPlatform.isDarwin [
      "--disable-toolbox-glue"
    ]
    ++ lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [
      "PYTHON_FOR_BUILD=${lib.getBin buildPackages.python27}/bin/python"
      "ac_cv_buggy_getaddrinfo=no"
      # Assume little-endian IEEE 754 floating point when cross compiling
      "ac_cv_little_endian_double=yes"
      "ac_cv_big_endian_double=no"
      "ac_cv_mixed_endian_double=no"
      "ac_cv_x87_double_rounding=yes"
      "ac_cv_tanh_preserves_zero_sign=yes"
      # Generally assume that things are present and work
      "ac_cv_posix_semaphores_enabled=yes"
      "ac_cv_broken_sem_getvalue=no"
      "ac_cv_wchar_t_signed=yes"
      "ac_cv_rshift_extends_sign=yes"
      "ac_cv_broken_nice=no"
      "ac_cv_broken_poll=no"
      "ac_cv_working_tzset=yes"
      "ac_cv_have_long_long_format=yes"
      "ac_cv_have_size_t_format=yes"
      "ac_cv_computed_gotos=yes"
      "ac_cv_file__dev_ptmx=yes"
      "ac_cv_file__dev_ptc=yes"
    ]
    # Never even try to use lchmod on linux,
    # don't rely on detecting glibc-isms.
    ++ lib.optional stdenv.hostPlatform.isLinux "ac_cv_func_lchmod=no"
    ++ lib.optional static "LDFLAGS=-static";

  strictDeps = true;
  buildInputs =
    lib.optional (stdenv ? cc && stdenv.cc.libc != null) stdenv.cc.libc
    ++ [
      bzip2
      openssl
      zlib
      libffi
      expat
      db
      gdbm
      ncurses
      sqlite
      readline
    ]
    ++ lib.optionals x11Support [
      tcl
      tk
      libX11
    ];
  nativeBuildInputs = [
    autoreconfHook
  ]
  ++ lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [
    buildPackages.stdenv.cc
    buildPackages.python27
  ];

  mkPaths = paths: {
    C_INCLUDE_PATH = lib.makeSearchPathOutput "dev" "include" paths;
    LIBRARY_PATH = lib.makeLibraryPath paths;
  };

  # Python 2.7 needs this
  crossCompileEnv = lib.optionalAttrs (stdenv.hostPlatform != stdenv.buildPlatform) {
    _PYTHON_HOST_PLATFORM = stdenv.hostPlatform.config;
  };

  # Build the basic Python interpreter without modules that have
  # external dependencies.

in
with passthru;
stdenv.mkDerivation (
  {
    pname = "python";
    inherit version;

    inherit
      src
      patches
      buildInputs
      nativeBuildInputs
      preConfigure
      configureFlags
      ;

    LDFLAGS = lib.optionalString (!stdenv.hostPlatform.isDarwin) "-lgcc_s";
    inherit (mkPaths buildInputs) C_INCLUDE_PATH LIBRARY_PATH;

    env.NIX_CFLAGS_COMPILE =
      lib.optionalString (stdenv.targetPlatform.system == "x86_64-darwin") "-msse2"
      + lib.optionalString stdenv.hostPlatform.isMusl " -DTHREAD_STACK_SIZE=0x100000"
      + " -std=gnu17";
    DETERMINISTIC_BUILD = 1;

    setupHook = python-setup-hook sitePackages;

    postPatch = lib.optionalString (x11Support && ((tclPackages.tix or null) != null)) ''
      substituteInPlace "Lib/lib-tk/Tix.py" --replace "os.environ.get('TIX_LIBRARY')" "os.environ.get('TIX_LIBRARY') or '${tclPackages.tix}/lib'"
    '';

    postInstall = ''
      # needed for some packages, especially packages that backport
      # functionality to 2.x from 3.x
      for item in $out/lib/${libPrefix}/test/*; do
        if [[ "$item" != */test_support.py*
           && "$item" != */test/support
           && "$item" != */test/regrtest.py* ]]; then
          rm -rf "$item"
        else
          echo $item
        fi
      done
      touch $out/lib/${libPrefix}/test/__init__.py
      ln -s $out/lib/${libPrefix}/pdb.py $out/bin/pdb
      ln -s $out/lib/${libPrefix}/pdb.py $out/bin/pdb${sourceVersion.major}.${sourceVersion.minor}
      ln -s $out/share/man/man1/{python2.7.1.gz,python.1.gz}

      rm "$out"/lib/python*/plat-*/regen # refers to glibc.dev

      # Determinism: Windows installers were not deterministic.
      # We're also not interested in building Windows installers.
      find "$out" -name 'wininst*.exe' | xargs -r rm -f
    ''
    + lib.optionalString stripBytecode ''
      # Determinism: deterministic bytecode
      # First we delete all old bytecode.
      find $out -name "*.pyc" -delete
    ''
    + lib.optionalString rebuildBytecode ''
      # We build 3 levels of optimized bytecode. Note the default level, without optimizations,
      # is not reproducible yet. https://bugs.python.org/issue29708
      # Not creating bytecode will result in a large performance loss however, so we do build it.
      find $out -name "*.py" | ${pythonOnBuildForHostInterpreter} -m compileall -q -f -x "lib2to3" -i -
      find $out -name "*.py" | ${pythonOnBuildForHostInterpreter} -O  -m compileall -q -f -x "lib2to3" -i -
      find $out -name "*.py" | ${pythonOnBuildForHostInterpreter} -OO -m compileall -q -f -x "lib2to3" -i -
    ''
    + lib.optionalString stdenv.hostPlatform.isCygwin ''
      cp libpython2.7.dll.a $out/lib
    '';

    inherit passthru;

    postFixup = ''
      # Include a sitecustomize.py file. Note it causes an error when it's in postInstall with 2.7.
      cp ${../../sitecustomize.py} $out/${sitePackages}/sitecustomize.py
    ''
    + lib.optionalString strip2to3 ''
      rm -R $out/bin/2to3 $out/lib/python*/lib2to3
    ''
    + lib.optionalString stripConfig ''
      rm -R $out/bin/python*-config $out/lib/python*/config*
    ''
    + lib.optionalString stripIdlelib ''
      # Strip IDLE
      rm -R $out/bin/idle* $out/lib/python*/idlelib
    ''
    + lib.optionalString stripTests ''
      # Strip tests
      rm -R $out/lib/python*/test $out/lib/python*/**/test{,s}
    '';

    enableParallelBuilding = true;

    doCheck = false; # expensive, and fails

    meta = {
      homepage = "http://python.org";
      description = "High-level dynamically-typed programming language";
      longDescription = ''
        Python is a remarkably powerful dynamic programming language that
        is used in a wide variety of application domains. Some of its key
        distinguishing features include: clear, readable syntax; strong
        introspection capabilities; intuitive object orientation; natural
        expression of procedural code; full modularity, supporting
        hierarchical packages; exception-based error handling; and very
        high level dynamic data types.
      '';
      license = lib.licenses.psfl;
      platforms = lib.platforms.all;
      knownVulnerabilities = [
        "Python 2.7 has reached its end of life after 2020-01-01. See https://www.python.org/doc/sunset-python-2/."
        # Quote: That means that we will not improve it anymore after that day,
        # even if someone finds a security problem in it. You should upgrade to
        # Python 3 as soon as you can. [..] So, in 2008, we announced that we
        # would sunset Python 2 in 2015, and asked people to upgrade before
        # then. Some did, but many did not. So, in 2014, we extended that
        # sunset till 2020.
      ];
    };
  }
  // crossCompileEnv
)
